Type-based database confidentiality using trusted computing

What is claimed is: 1 . A method for securing database operations, comprising: instantiating a database comprising a plurality of fields; adding type metadata to each field, the type metadata for each field comprising information defining a domain of the corresponding field, a method of encryption of the corresponding field, and a reference to an encryption key used to encrypt data in the corresponding field; adding a set of rules to each field, the set of rules for each field comprising information defining a restricted set of operations that are allowed to be performed on the corresponding field; encrypting the data in each field with the method of encryption and the referenced key defined by the corresponding type metadata; safeguarding the type metadata and the rules from unauthorized modification via an integrity protection mechanism; and in an untrusted computing environment, performing secure operations limited by the sets of rules on one or more of the encrypted fields via a combination of distributed computation between an untrusted machine and a trusted machine. 2 . The method of claim 1 further comprising encrypting one or more inputs and one or more outputs of the trusted machine. 3 . The method of claim 1 further comprising applying different keys to encrypt inputs and outputs of the trusted machine. 4 . The method of claim 1 further comprising concealing one or more expressions executed by the trusted machine. 5 . The method of claim 1 further comprising limiting the number of calls that can be made to the trusted machine. 6 . The method of claim 1 further comprising padding one or more length bounded domains to make the padded domains length indistinguishable. 7 . The method of claim 1 wherein adding the set of rules to each field further comprises a program registration process wherein, for each rule, a registration message containing a specification of the restricted set of operations and the encryption keys of all input and output types of those operations is transmitted to the trusted machine and applied to the database by the trusted machine. 8 . The method of claim 7 further comprising encrypting the registration message using a public key of the trusted machine. 9 . The method of claim 7 wherein the program registration process is a lazy process wherein the registration message associated with a particular operation is only sent to the trusted machine if that particular operation is to be used to interact with the corresponding field. 10 . The method of claim 1 further comprising safeguarding error results of the secure operations from unauthorized viewing or access via an integrity protection mechanism. 11 . A computing system comprising: at least one processor; and memory storing instructions executable by the at least one processor, wherein the instructions configure the computing system to: instantiate a database comprising a plurality of fields; associate type metadata and one or more rules with each field; the type metadata for each field comprising information defining a domain and encryption information for the corresponding field; the rules for each field comprising a set of allowed operations for the corresponding field; apply the encryption information to encrypt data in each field; in response to a request to perform an operation on one or more fields of the database, confirm that the allowed sets of operations for the corresponding fields include the requested operation; and if the requested operation is included in the allowed sets of operations, execute that requested operation on the one or more fields. 12 . The system of claim 11 , wherein executing the operation further comprises: executing the operation on either a trusted machine (TM) component of the system or an untrusted machine (UM) component of system, or on a combination of both the TM and the UM; and wherein the choice between execution via the TM or the UM, or a combination of both the TM and the UM, is determined as a combined function of the type metadata and the rules of the corresponding fields. 13 . The system of claim 11 further comprising safeguarding the type metadata and the rules from unauthorized modification via an integrity protection mechanism. 14 . The system of claim 11 further comprising safeguarding error results of the requested operation from unauthorized viewing or access via an integrity protection mechanism. 15 . The system of claim 11 further comprising limiting the number of calls that can be made to the trusted machine. 16 . The system of claim 12 further comprising concealing one or more expressions executed by the TM. 17 . A computer-readable storage device having computer-executable instructions stored thereupon which, when executed by a computer, cause the computer to: instantiate a database comprising a plurality of fields; for each field, add corresponding type metadata comprising a domain, a method of encryption, and a pointer to an encryption key; for each field, add a corresponding set of rules comprising a set of allowed operations; for each field, apply the method of encryption and encryption key specified by the corresponding type metadata to encrypt that field; and in an untrusted computing environment, perform secure operations limited by the sets of rules on one or more of the encrypted fields via a combination of distributed computation between an untrusted machine and a trusted machine. 18 . The computer-readable storage device of claim 17 further comprising safeguarding the type metadata and the rules from unauthorized modification via an integrity protection mechanism. 19 . The computer-readable storage device of claim 17 wherein adding the corresponding set of rules to each field further comprises a program registration process wherein, for one or more rules, a registration message containing a specification of the allowed operations is provided to the trusted machine and applied to the database by the trusted machine. 20 . The computer-readable storage device of claim 19 further wherein the program registration process is a lazy process wherein the registration message associated with a particular operation is only provided to the trusted machine when that particular operation is to be used to interact with the corresponding field.